Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new

On Friday 28 November 2008 17:13:54 Magnus Hagander wrote:
> Matching *only* as the first character will make it impossible to make
> certificates for "www*.domain.com", which is AFAIK fairly popular - and
> one of the examples you'll find on CA sites. But it would be fairly easy
> to add this restriction if people feel that's a better way.

Are there actual technical or administrative or security arguments for or 
against this?  For example, what are the criteria one has to fulfill in order 
to get such a certificate?  Or is there a "defensive certification" security 
line of reasoning?

Now certificate issuing is a real business, so we need to play in that context 
as well, but I would like to dig a little deeper why things should be done in 
a certain way.

I am quite confortable, for example, with * matching subdomains, because if I 
own example.com, then I can create any level of subdomain I want, without 
making a real difference to user/client program.  But then I don't really get 
the point of having * inside of words -- would "www*.domain.com" also match 
dots then?